We are trying to interpret, analyze and make correlations from some of the IDP events generated by SRX-3400 and SRX-650 devices. But we cannot achieve what we need because in some HTTP alerts the source IP address is from Akamai (http://www.akamai.com/) and not from the attacker.

In deeper analysis we can trace back the attackers IP address, from the binary logs including the packet trace, looking at the X-Forwarded-For HTTP headers. But with this approach we cannot define proper actions at IDP level.

Also, as far as we know, the SRX-650 series doesn't support packet traces, so we are blind here and can't trace the real source of the attacks we are receiving.

┐We are missing something, or it is not possible to interpret the X-Forwarded-For headers directly?

Any guidance or information will be much appreciated, thank you in advance and have a nice day!